89174acde0ea21562e6186847ba7d12aacd9b2b2132f456dd8335680daadd9a9

Resubmissions

22-03-2024 09:15

240322-k7zasaaf27 10

22-03-2024 09:13

240322-k66ngacf7t 6

Analysis

max time kernel
17s
max time network
32s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
22-03-2024 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$RM5APQX.exe
Size

23.0MB
MD5

f9ce897d93d4f77bca3cca8541a8addb
SHA1

4ac5a68266c842fb997fd755c9d10d1975baa71f
SHA256

89174acde0ea21562e6186847ba7d12aacd9b2b2132f456dd8335680daadd9a9
SHA512

57ad25f1a3b1514e579fd9f61102d0e6ea42e32bb9371fa447ab6e8c4403a018ee5b1959f3038dd591c930ecc4b535abe6851693334a67542acb7877152b0a6a
SSDEEP

393216:w95Rjktqn778Sd3o+83Jsv6tWKFdu9CwvUiPbKv647n+YlmYz:MRjkG7Iq3oOD2vegm0

Score

6^/10

discovery

Malware Config

Signatures

Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	$RM5APQX.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV	$RM5APQX.exe

Downloads MZ/PE file
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microvirt\tempDir\Setup.exe	$RM5APQX.exe
File created	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.Hp1672	$RM5APQX.exe
File created	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.lock	$RM5APQX.exe
File opened for modification	C:\Program Files\Microvirt\tempDir\Setup.exe.setting	$RM5APQX.exe
File opened for modification	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.Uh1672	$RM5APQX.exe
File created	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.em1672	$RM5APQX.exe
File created	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.gq1672	$RM5APQX.exe
File created	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.Uh1672	$RM5APQX.exe
File opened for modification	C:\Program Files\Microvirt\tempDir\Setup.exe.setting.em1672	$RM5APQX.exe

Loads dropped DLL 3 IoCs

pid	Process
1672	$RM5APQX.exe
1672	$RM5APQX.exe
1672	$RM5APQX.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1672	$RM5APQX.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1672	$RM5APQX.exe
1672	$RM5APQX.exe
1672	$RM5APQX.exe
1672	$RM5APQX.exe
1672	$RM5APQX.exe
1672	$RM5APQX.exe
1672	$RM5APQX.exe
1672	$RM5APQX.exe
1672	$RM5APQX.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1672	$RM5APQX.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1672	$RM5APQX.exe
Token: SeShutdownPrivilege	1672	$RM5APQX.exe
Token: SeCreatePagefilePrivilege	1672	$RM5APQX.exe

Suspicious use of SetWindowsHookEx 27 IoCs

pid	Process
1672	$RM5APQX.exe
1672	$RM5APQX.exe
1672	$RM5APQX.exe
1672	$RM5APQX.exe
1672	$RM5APQX.exe
1672	$RM5APQX.exe
1672	$RM5APQX.exe
1672	$RM5APQX.exe
1672	$RM5APQX.exe
1672	$RM5APQX.exe
1672	$RM5APQX.exe
1672	$RM5APQX.exe
1672	$RM5APQX.exe
1672	$RM5APQX.exe
1672	$RM5APQX.exe
1672	$RM5APQX.exe
1672	$RM5APQX.exe
1672	$RM5APQX.exe
1672	$RM5APQX.exe
1672	$RM5APQX.exe
1672	$RM5APQX.exe
1672	$RM5APQX.exe
1672	$RM5APQX.exe
1672	$RM5APQX.exe
1672	$RM5APQX.exe
1672	$RM5APQX.exe
1672	$RM5APQX.exe

C:\Users\Admin\AppData\Local\Temp\$RM5APQX.exe
"C:\Users\Admin\AppData\Local\Temp\$RM5APQX.exe"
1⤵
- Checks for any installed AV software in registry
- Drops file in Program Files directory
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1672

C:\Users\Admin\AppData\Local\Temp\Product_files\rsStubActivator.exe
"C:\Users\Admin\AppData\Local\Temp\Product_files\rsStubActivator.exe" -ip:"dui=465e9b44a619b94d817de716cff76515c1aa39ad&dit=20240322091441481&is_silent=true&oc=DOT_RAV_Cross_Tri_NCB&p=c52b&a=100&b=&se=true" -vp:"dui=465e9b44a619b94d817de716cff76515c1aa39ad&dit=20240322091441481&oc=DOT_RAV_Cross_Tri_NCB&p=c52b&a=100&oip=26&ptl=7&dta=true" -dp:"dui=465e9b44a619b94d817de716cff76515c1aa39ad&dit=20240322091441481&oc=DOT_RAV_Cross_Tri_NCB&p=c52b&a=100" -i -v -d
1⤵
PID:844
- C:\Users\Admin\AppData\Local\Temp\lxohhakc.exe
  "C:\Users\Admin\AppData\Local\Temp\lxohhakc.exe" /silent
  2⤵
  PID:2064

C:\Users\Admin\AppData\Local\Temp\Product_files\saBSI.exe
"C:\Users\Admin\AppData\Local\Temp\Product_files\saBSI.exe" /affid 91082 PaidDistribution=true CountryCode=GB
1⤵
PID:716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microvirt\tempDir\Setup.exe.setting

Filesize
246B

MD5
c692a69ea96a80fc008b5aeb14fe1f5a

SHA1
54754c9394eea70a37a4c554ae74f69f867bf379

SHA256
61c91c81a51f4761d6ac272fcb60bbedce353f612d21bd4d1c3cdbd82422b71f

SHA512
7a0e825304d3e9b8e021a71a4cda2382f8006ec1070d9b8d26b7a1ef104810fa94ac999f04213cf522b373e0021db7f8ee16930e4af5ea8a05e2b98cb5a07007

Download Submit
C:\Program Files\Microvirt\tempDir\Setup.exe.setting

Filesize
246B

MD5
f4438af4fc4f2c95c03b4a682c15968d

SHA1
4c35adb872601df3f7f7b51136adc5411c7fcf62

SHA256
86d9b87fb330abb59b7d9951ab6815dec3717185c891b26ffb30c0d09128b09a

SHA512
7dbac225bb28dfd8b7433adcd9330168aadd3559f96ce40a9d3f08c2fda2034ce0b7992a2a743bc44168b0b078193c7f6f6979c4376363f1beae44491e0e2e8e

Download Submit
C:\Program Files\Microvirt\tempDir\Setup.exe.setting

Filesize
246B

MD5
13da069f2365dbbed794adb7f010efc7

SHA1
5348a49a61d39f74295afe4cbeba354678563db4

SHA256
5a4e0b1b4da8e02de5339799942c70111887f5540bbf837a8d9b023145ca2716

SHA512
04917246c1ce5b7363b196cf15c2bb94e19f61f767331c11e02d2c1182c3bad4ce456ae3478f8fe739c50a7fdbaa3344336bc909be03ddbe01e694c2ca40ddeb

Download Submit
C:\Program Files\Microvirt\tempDir\Setup.exe.setting.Uh1672

Filesize
234B

MD5
7d5de2d941da6f42d2e4d7d729621d61

SHA1
e8c7872677bd887c10052324129fb18c21b98b67

SHA256
eaf0e96e046b846b5364ab8ee4722a0440e9da472a317f091751e4b5f2ce8b63

SHA512
d0e3091ecd09cd8c9632ad39fd19496bd6af3536727e0a82c948e9627f2ff6b0f8611076165a9267f3d4fc57e9d58a3e3be0df18f8451d461e1cf19197f20526

Download Submit
C:\Program Files\Microvirt\tempDir\Setup.exe.setting.lock

Filesize
23B

MD5
273f8bbcbf0bdda3e6bd57f4ed9a2e3d

SHA1
bff1f1fb0ddc3624032d8626d50c5f5be56cab6d

SHA256
415f4809a2a34932068bd6769a17331c1ce01e665a9a4e4b3705e4509c4d42c2

SHA512
501a6dcfa52d81fc8202d7622408ff83edb234e11a97b9a9265c7d43c90e5ece183d1980a3711ab571af9f33caf4d74ba6c3d78581ddc0ee31b5fa6bbc9237e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Product_files\rsStubActivator.exe

Filesize
44KB

MD5
01d000abb6713f6a89ffc3a323082106

SHA1
5ff1769bc4c12cc109bdec10fce859e407620e5b

SHA256
dc1097cd6641438713932c2c082f8edf2889bd97532cabb6938466926b83fe13

SHA512
335dbc9c931cd3795fada625fe87019e726338b0dca1b697690f8ae4ac0635a6d61736e0aedde1a5fd68cdd8199a420e61ca298c15cd3d4701b10030da963f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Product_files\saBSI.exe

Filesize
1.1MB

MD5
bb7cf61c4e671ff05649bda83b85fa3d

SHA1
db3fdeaf7132448d2a31a5899832a20973677f19

SHA256
9d04462e854ef49bcd6059767248a635912ce0f593521a7cc8af938e6a027534

SHA512
63798024e1e22975d1be1e8bff828040d046d63df29f07d6161c868526d5f08451e44b5fa60bfb0c22cf7880abc03aaedafa2c5c844c3aeff640e6fac9586aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\lxohhakc.exe

Filesize
425KB

MD5
80ad7845bc4fcb18f7ce0f7aa8824e9a

SHA1
6fa18e9a81ed48c49c908202af7e6b5e2d31acfe

SHA256
d85b2fd9bd7e3a42d1efe335b10a02d02a026dbd508d4ea6c9b00279f575f3df

SHA512
2c07351a5ca4478b66e3996c5d7e34423fd3c558d897924fdd13f58583f9eeef10ccf0909592a346ff7e5b7abd4bf69ecb3b1ec63fde259afccdca1449febf1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\lxohhakc.exe

Filesize
384KB

MD5
2f31e5e849fa8730ef2133d5993bc323

SHA1
97f28e6d0b9986256a82475bf433faf4eb717c46

SHA256
bea5ac024ca4584ceeecb78785ca518f81b250562ecadf46a037165d0c91e3ec

SHA512
5aa21e023e1bccbc1658f993ff8af01245db11a2bd2bbd684a161f0968ad65c0b828ed4a66083363ac4efd15f898ddbb3ed3dbe120d9508b7af8aa7bdfe8bab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\lxohhakc.exe

Filesize
320KB

MD5
38ccc8a12d180b73c922da2c4bbb6804

SHA1
442921e9c0f0f0ce45b06d354822da3b9fa7f010

SHA256
56cfeb78b5ef23634aa29f62df79b956b3d23499e4cd58815207b069597a3a53

SHA512
74f8b5c650d2c65d36b07cdbce3aa1abc2afe81d7bfb115aa2155199974ee443aa87d92973c581ce3ad7043a97d29e69728a7b6be4e49df8107fa2683de95424

Download Submit
C:\Users\Admin\AppData\Local\Temp\mds\mds.dll

Filesize
212KB

MD5
48f07e86c6d50f527d7fd5026a3fbe5c

SHA1
64184c950bc0622df2c8e7707d37fae566ee5722

SHA256
b1317206a12f105e28338fea33c5d1a66df07fb35586bb4e1727555bec90e71b

SHA512
9172b41d51643349cb0d755d1f90ffbe15cb7bd4ed80700d91c73f4afba17055f0488fd1d5858dea2843d545fd4752751d081dcf2117204cafe0f6fc3cf30c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszF6E4.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
memory/844-73-0x00000297F8200000-0x00000297F8208000-memory.dmp

Filesize
32KB

Download
memory/844-160-0x00000297FA0B0000-0x00000297FA0C0000-memory.dmp

Filesize
64KB

Download
memory/844-153-0x00007FFC86E00000-0x00007FFC878C2000-memory.dmp

Filesize
10.8MB

Download
memory/844-105-0x00000297FAD20000-0x00000297FB248000-memory.dmp

Filesize
5.2MB

Download
memory/1672-27-0x000000000A100000-0x000000000A62C000-memory.dmp

Filesize
5.2MB

Download
memory/1672-20-0x0000000074400000-0x000000007443E000-memory.dmp

Filesize
248KB

Download
memory/1672-22-0x0000000008CE0000-0x0000000009286000-memory.dmp

Filesize
5.6MB

Download
memory/1672-29-0x0000000006720000-0x0000000006730000-memory.dmp

Filesize
64KB

Download
memory/1672-19-0x00000000064F0000-0x000000000652E000-memory.dmp

Filesize
248KB

Download
memory/1672-15-0x0000000006720000-0x0000000006730000-memory.dmp

Filesize
64KB

Download
memory/1672-28-0x0000000004320000-0x000000000432A000-memory.dmp

Filesize
40KB

Download
memory/1672-21-0x0000000073B50000-0x0000000074301000-memory.dmp

Filesize
7.7MB

Download
memory/1672-26-0x0000000008BC0000-0x0000000008C26000-memory.dmp

Filesize
408KB

Download
memory/1672-25-0x0000000009290000-0x000000000932C000-memory.dmp

Filesize
624KB

Download
memory/1672-24-0x0000000008B00000-0x0000000008B44000-memory.dmp

Filesize
272KB

Download
memory/1672-23-0x0000000006600000-0x0000000006692000-memory.dmp

Filesize
584KB

Download